git://git.webkit.org / WebKit-https.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0e545dd) | patch
for-in loops should preserve and restore the TDZ stack for each of its internal loops.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 May 2018 00:23:57 +0000 (00:23 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 May 2018 00:23:57 +0000 (00:23 +0000)
commit340b3cdeb8275f4f57c505257a133ee0b7450133
tree6074ab2e9ec8a67f33582b3ec70de48f5fb99794tree | snapshot
parent0e545ddc431738aeec2fc65537feeea564c1e364commit | diff
for-in loops should preserve and restore the TDZ stack for each of its internal loops.
https://bugs.webkit.org/show_bug.cgi?id=185995
<rdar://problem/40173142>

Reviewed by Saam Barati.

JSTests:

* stress/regress-185995.js: Added.

Source/JavaScriptCore:

This is because there's no guarantee that any of the loop bodies will be
executed.  Hence, there's no guarantee that the TDZ variables will have been
initialized after each loop body.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::preserveTDZStack):
(JSC::BytecodeGenerator::restoreTDZStack):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitBytecode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232219 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog diff | blob | history
JSTests/stress/regress-185995.js [new file with mode: 0644] blob
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp diff | blob | history
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h diff | blob | history
Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp diff | blob | history
Mirror of the WebKit open source project from svn.webkit.org.